You are here

Ed's Blog

This afternoon (Tuesday, 8 December), the U.S. House Financial Services Committee is expected to pass HR 2205, the bi-partisan Data Security Act of 2015. The bill is a massive attack on state privacy laws. Hidden inside a seemingly modest proposal to establish federal data breach notice and data security requirements is a Trojan Horse provision designed to to take state consumer cops off the privacy beat, completely and forever. That's wrong, because the states have always been key first responders and leaders on privacy threats that Congress has ignored, from credit report accuracy and identity theft to data breaches and do-not-call lists.

Yesterday we joined 17 leading consumer and privacy groups in a letter to the committee. Here is an excerpt on its preemptive sweep:

"On balance, H.R. 2205 would do consumers far more harm than good, and we therefore must urge you to oppose it.

First and foremost, H.R. 2205 would eliminate stronger existing state protections and prevent future state innovation. The Data Security Act of 2015 would supersede all state laws on data security and breach notification—including those protecting personal information not covered by this bill. For example, the legislation would squelch new and developing laws in several states extending data security and breach notification protections to online account login information, including email accounts and cloud photo storage. The bill does not cover information about an individual’s geographic location or electronic communications. Biometric data is covered but only to the extent that it can be used to gain access to financial accounts. It is unclear whether “medical information” would include the broad range of data that is collected about individuals’ physical or mental health through websites and wearable devices."

In July, an unprecedented bi-partisan list of 47 state and territorial Attorneys General sent their own letter to Congressional leaders. Excerpt:

"Federal Law Should Not Preempt State Law

"State attorneys general are on the front lines responding to data breaches. Our offices hear directly from affected consumers, and we regularly respond directly to their complaints and calls. For example, the Office of the Illinois Attorney General has helped over 38,000 Illinois residents remove more than $27 million in unauthorized charges from their accounts. Any federal legislation on data breach notification and data security should recognize this important role and not hinder states that are helping their residents. Preempting state law would make consumers less protected than they are right now. Our constituents are continually asking for greater protection. If states are limited by federal legislation, we will be unable to respond to their concerns.

"Toward that end, it is important that any federal legislation ensure that states can continue to enforce breach notification requirements under their own state laws. States should also be assured continued flexibility to adapt their state laws to respond to changes in technology and data collection. As we have seen over the past decade, states are better equipped to quickly adjust to the challenges presented by a data - driven economy. States have been able to amend their laws and focus their enforcement efforts on those areas most affecting consumers."

In addition to the problems described in our letter, over 100 merchant and retailer associations oppose the bill because it imposes two-tiers of rules. Banks would continue to be subject to an existing weak regime that does not even require breach notices, only modest plans. Other firms are subject to the bill's higher requirements.

The bill is not only designed to serve the banks, but pays fealty to another powerful special interest, an organization of telecommunications behemoths with the Orwellian name of the 21st Century Privacy Coalition. Its actual goal is to evade existing strong privacy rules of the Federal Communications Commission. As we note in our letter:

"Further, H.R. 2205 would eliminate key protections under the Communications Act for telecommunications, cable, and satellite records. The Communications Act contains very strong data security and breach notification protections for information about customers’ use of telecommunications services, such as phone call histories and location data. It also protects cable and satellite subscribers’ information, including their viewing histories. But as with email login information and photos, this bill is too narrow to cover that information. It would simply eliminate crucial federal data security and breach notification protections for telecommunications usage information and cable and satellite viewing histories."

In 2003, when Congress enacted major changes to the Fair Credit Reporting Act but failed to adequately address identity theft, we launched a campaign, with Consumers Union, to pass state data breach notice and security freeze laws in nearly every state. Sadly, if HR 2205 becomes law, it not only weakens many of those laws, it prevents the states from acting against most privacy threats ever again.

My recent testimony on credit and debit card anti-hacking technology, or what I call "Chip, Why Not Chip-and-Pin?," protections goes in detail on breach and preemption issues. The recent testimony of Massachusetts Assistant Attorney General Sara Cable before Congress is also instructive. Massachusetts has some of the most robust data security and data breach laws in the nation, as that link explains. Finally, Laura Moy of the New America's Open Technology Institute testified recently before the Financial Services Committee. OTI is a signatory to our group letter.